AWS ECR: error (AccessDeniedException) calling CreateRepository

[benjimin]

If this action is not granted the ecr:CreateRepository permission, then the following error message is emitted twice on each run:

An error occurred (AccessDeniedException) when calling the CreateRepository operation: User[..] is not authorized to perform: ecr:CreateRepository on resource: [..] because no identity-based policy allows the ecr:CreateRepository action

It is documented (e.g. in v6) that, for ECR, "You don't even need to create the repositories in advance, as this action takes care of that for you!"

However, the action shouldn't need permission to create the repository, if it already exists.

If the action does attempt to create the repositories, without checking whether they already exist, then it should only print a warning if creation fails (instead of an error), because the log should not be cluttered with "errors" that are safe to ignore. Otherwise these messages mislead the debugging of actual errors (such as blank tag names, for example). Note that if the repositories don't already exist then there will be an actual error at a later stage.

As an aside, the creation capability is suggestive of giving an entire github account carte blanche access across ECR, whereas best practice dictates that the permissions granted to each github repo action should be scoped to only the resources it needs. Otherwise a malicious commit in one repo could compromise stable images that are usually derived from completely separate (and better guarded) repos. So it would be inadvisable not to configure each AWS ECR repo individually (and the action ought not already have permission to create the repo before then). Hence the importance of the messaging surrounding repo creation.

[soronpo]

I also hit this issue

[whoan]

@benjimin @soronpo I have this in my queue. I think I know how to improve the action to avoid the permission to create the repo when that's not needed. Just waiting to have some time.
Thanks for reporting the issue.